Security News > 2023 > October > Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets
Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters.
The Register did not immediately receive a response to questions, including if the bugs have been found and exploited and when a patch will be issued.
All three flaws affect those with the NGINX ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer.
"The first two, CVE-2023-5043 and CVE-2023-5044, are both due to improper input validation and can be exploited to inject arbitrary code, obtain high-level credentials and steal all secrets from the cluster. Both are rated"high" severity bugs," received CVSS ratings of 7.6 out of 10, and affect versions 1.9.0 and earlier.
If someone can create or update ingress objects, they can exploit this bug to obtain Kubernetes API credentials from the ingress controller, and then use that access to steal all secrets in the cluster.
"The fact that ingress controllers have access to TLS secrets and Kubernetes API by design makes them workloads with high privilege scope," Hirschberg wrote in a blog about the three bugs.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-25 | CVE-2023-5044 | Code Injection vulnerability in Kubernetes Ingress-Nginx Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. | 8.8 |
| 2023-10-25 | CVE-2023-5043 | Injection vulnerability in Kubernetes Ingress-Nginx Ingress nginx annotation injection causes arbitrary command execution. | 8.8 |